TensorFlow SavedModel object-graph node-cardinality PoC

This repository contains a benign security research proof of concept for a TensorFlow SavedModel that drives large memory growth during tf.saved_model.load() by inflating object_graph_def.nodes.

Files:

  • saved_model.pb
  • variables/variables.data-00000-of-00001
  • variables/variables.index
  • fingerprint.pb
  • build_poc.py

Reproduction:

OPENBLAS_NUM_THREADS=1 OMP_NUM_THREADS=1 MKL_NUM_THREADS=1 /usr/bin/time -v \
python3 - <<'PY'
import tensorflow as tf
m = tf.saved_model.load(".")
print(type(m))
PY

Expected observable:

  • load succeeds in the real tf.saved_model.load() path
  • peak RSS grows to roughly 1.45 GB on the test machine
  • this is significantly higher than the baseline seed SavedModel load

This repository is for defensive security validation and triage only.

Downloads last month
44
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support